CVE-2026-10546
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the URL component due to a TOCTOU race condition exploitable via DNS rebinding.
Risk Assessment
An attacker can exploit this vulnerability to send requests to internal network resources, potentially leading to exposure of sensitive data or further system compromise.
Recommendation
It is recommended to immediately upgrade IBM Langflow OSS to version 1.9.4 or later, which includes a fix for the TOCTOU race condition.
Original NVD description (English source)
IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-Use (TOCTOU) race condition that can be exploited via DNS rebinding.

